GPG refuses to sign with a key that has unknown trust. Set the
imported key to ultimate trust after import.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dump rpmmacros, gpg keys, and file permissions before signing to
debug the silent failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Direct stdout/stderr capture may miss gpg subprocess output. Write
to a temp file and cat it on failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Capture stderr from rpm --addsign so the actual gpg error is visible
when signing fails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The rpm keyring import needs root access which CI doesn't have.
Client-side verification on install is sufficient.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ensures package, publish, and poll-upstream jobs are picked up by
Fedora 43 runners specifically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Import the GPG public key into rpm's keyring so rpm --checksig can
verify signatures. Also use --undefine dist before --define to ensure
the CLI value overrides the system macro on the build host.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The custom %__gpg_sign_cmd macro with %{__plaintext_filename} is not
supported on modern rpm. Instead, configure gpg-agent for loopback
pinentry and let rpm use its default sign command.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The heredoc with column-0 lines inside a YAML block scalar may
confuse Gitea's workflow parser. Move rpmmacros content to
rpm/rpmmacros as a template with sed substitution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea may not support matrix expressions in job-level concurrency
groups. The workflow-level concurrency group already prevents
parallel runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea 1.25 does not support array values in matrix includes for
runs-on, causing the dispatch API to return 500. Revert to a single
runner label.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add fedora_version to build, package, and publish matrices so the
pipeline can target multiple Fedora releases in parallel. Force the
dist tag via --define to ensure RPMs are stamped correctly regardless
of build host. Update poll-upstream to check all fedora/flavour
combinations before triggering a build.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The echo-based approach was mangling rpm macro tokens like
%{__plaintext_filename}. Switch to a heredoc so the content is
written verbatim.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
%{__gpg} already expands to /usr/bin/gpg, so the extra "gpg" was
passed as a positional argument causing all flags to be ignored.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add %__gpg_sign_cmd macro to ~/.rpmmacros with --batch, --no-tty, and
--pinentry-mode loopback so rpm --addsign works without a TTY in CI.
Also add signing progress output and post-sign verification to
publish-repo.sh for easier debugging.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea's download-artifact does not support merge-multiple, so RPMs
end up in subdirectories. Add a step to move them into the expected
flat directory before publish-repo.sh runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The shared runner retains ~/.rpmmacros from previous publish jobs,
causing a spurious "Macro %_gpg_name has empty body" error during
rpmbuild in the package job.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add script/setup/gpg.sh to generate a dedicated lair keyring with a
certify-only master key and a 1-year signing subkey, cross-signed by
both personal keys. The public key is synced to oolon as <short-id>.gpg.
Update nginx config to serve any .gpg file instead of a hardcoded
RPM-GPG-KEY-mistralrs path, supporting multiple keys as the repo grows.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Poll was firing every minute, dispatching new builds that cancelled
the running one. Restore 15-minute cron interval and add shared
concurrency group across both workflows so new polls queue instead
of re-dispatching.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The gitea runner user on beast doesn't have Rust installed.
Reuses existing installation on subsequent runs.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea Actions doesn't support fromJSON in matrix strategies
(expressions are evaluated before dependent jobs run). Move
flavour definitions into the workflow as static matrix includes
and remove flavours.yml.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The runners have python yq (jq wrapper), not mikefarah/yq (Go).
Replace -o=json -I=0 with --compact-output which is the jq equivalent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gitea API requires refs/heads/main (not just main) and
Content-Type: application/json for the dispatch endpoint.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The automatic GITEA_TOKEN cannot trigger other workflows. Use a
dedicated DISPATCH_TOKEN secret (personal access token with
repository read/write scope) instead.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The automatic GITEA_TOKEN lacks actions:write by default, causing
a 422 when dispatching the build-release workflow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
--fail causes curl to exit 22 on HTTP errors before --write-out can
capture the response code, breaking the 200/404 branching logic.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move from /var/www/rpm/mistralrs/fedora-43/x86_64/ to
/var/www/rpm/fedora/43/x86_64/ so the repo can host packages
from multiple projects under a conventional hierarchy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
